Loading ...Apache Tips: Disable the HTTP TRACE method
Applies: apache 1.3.x / apache 2.0.x
Required apache module: -
Scope: global server configuration
Type: security
Description: How to disable the HTTP TRACE method on recent apache versions.
Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.
Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:
telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response <- ENTER twice to finish
HTTP/1.1 200 OK
Date: Sat, 20 Oct 2007 20:39:36 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Connection: close
Content-Type: message/http
TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response
Connection closed by foreign host.Traditionally experts will suggest to disable this using some rewrite rules like:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).
Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not:
TraceEnable off
This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.
After setting this and reloading the apache config the same server as above shows:
telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
testing... <- ENTER twice
HTTP/1.1 403 Forbidden
Date: Sat, 20 Oct 2007 20:38:31 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML(link) PUBLIC "-//IETF//DTD HTML(link) 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<hr>
<address>Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Server at foo Port 80</address>
</body></html>
Connection closed by foreign host. Go to:
Main page of all my Apache Tips & Tricks
22nd October 2007, 13:44
[...] check the full story here [...]
19th April 2009, 13:13
[...] the HTTP TRACE Method which on the other hand could allow Cross-Site Tracing. Therefore, we could disable it by adding the following lines both to /etc/apache2/httpd.conf and to the VirtualHosts inside [...]
31st May 2009, 10:34
[...] schon mehr Sorgen. Ist es doch über diese Lücke möglich Cross-Site-Scripting-Attacken zu fahren. Hier wird beschrieben, wie man selbst einmal testen kann, ob der eigene Webserver anfällig für diese [...]
21st January 2010, 10:18
[...] Apache Tips: Disable the HTTP TRACE method/ for information on how to see if HTTP TRACE is enabled. It is by default in OAS, and most security [...]
22nd April 2010, 13:28
Heya, Thanks for the wonderful article!
I used your article as a basis to write my article, you can check it out.
http://www.pc-freak.net/blog/disable-apache-http-trace-method-to-improve-apache-security/
However some minor things are different on Debian Linux.
Hope some of your Debian readers can benefit from my article.